Why we Need Standards for Breaking the Smart Grid

Transcription

1 Why we Need Standards for Breaking the Smart Grid Stephen McLaughlin 2012 Western Energy Policy Research Conference 1

2 NISTIR 7628 The organization assesses the security requirements in the Smart Grid information system on an organization-defined frequency to determine the extent the requirements are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the Smart Grid information system. -p 117 2

3 CIP

4 CIP What about ports the Responsible Entity never knew were enabled in the first place? 4

5 CIP

6 CIP Was the anti-virus software correctly configured? Can malware disable the anti-virus software? 6

7 CIP

8 CIP What about the ports and accounts the vendors did not tell anyone about? 8

9 CIP

10 CIP How can the auditor determine if the documentation is accurate? 10

11 Upshot The audit does not aim to determine how secure the system is. It aims to determine how hard the responsible entity tried to comply with the standard. In some cases, it is not clear how an auditor (or the Responsible Entity) could verify that the procedure was correctly followed. 11

12 Penetration Testing Tried and true means of security assessment 1. Try to break the computer system. 2. Break the computer system. 3. Fix the computer system. 4. GOTO 1. 12

13 An Example Computer System 13

14 Challenges for regulation Can pen-testing be standardized? Even on a vendor-specific basis? How can we accumulate the knowledge of professional hackers / pen-testers? Is pen-testing auditable? What is the impact of a discovered vulnerability? This is crucial for determining severity levels of a violation during an audit. Can a pen-test strategy be specified in less than 600 pages. (Say, more like 50.) 14

15 Attack Trees A means for pen-testing planning Tamper Measurement OR Tamper Usage Data Tamper Stored Demand (a) (b) (c) Bypass Meter AND OR Reverse Meter AND Reset Net Usage AND OR OR Physically Tamper Storage A2.3 Tamper in Network AND Intercept Communications A3.1 Inject Usage Data OR Disconnect Meter A1.1 Clear Logged Events AND Meter Inversion A1.2 Log In and Reset Net Usage A2.2 Man in the Middle A3.2 Spoof Meter A3.3 Log In and Clear Event History A1.3 Recover Meter Passwords A2.1 15

16 What We Found 16

17 Addressing the challenges Attack trees can standardize pen-testing by combining different expert s knowledge using the AND/OR connectives. The leaves of the attack trees form an auditable list of attacks that should be attempted against a system. The root (goal) of the attack tree specifies the impact of a vulnerability. Attack trees are succinct and unambiguous. 17

18 Summary Existing cybersecurity standards for smart electric grids don t help determine how secure a system is. Only how hard the utility tried to secure a system Penetration testing is an alternative means of security evaluation that helps to determine how insecure a system is. By codifying pen-testing strategies into attack trees, pen tests gain the useful properties needed to for a cybersecurity standard. We have used this methodology successfully in vulnerability testing smart electric meters. 18

19 Thanks! Stephen McLaughlin Project : Publications Patrick McDaniel and Stephen McLaughlin. Structured Security Testing in the Smartgrid. 5th International Symposium on Communications, Control, and Signal Processing. Rome, Italy. May Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Multi-vendor Penetration Testing in the Advanced Metering Infrastructure. Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), December Austin, TX. Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Embedded Firmware Diversity for Smart Electric Meters. Proceedings of the 5th Workshop on Hot Topics in Security (HotSec '10), August Washington, DC. Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel. Energy Theft in the Advanced Metering Infrastructure. In the 4th International Workshop on Critical Information Infrastructure Security, September Bonn, Germany. 19